Bug #12629

Feature #5630: Reproducible builds

Document reproducible release process

Added by u 20 days ago. Updated 12 days ago.

Status:In ProgressStart date:06/02/2017
Priority:NormalDue date:
Assignee:anonym% Done:

10%

Category:-
Target version:Tails_3.2
QA Check: Blueprint:
Feature Branch:doc/12629-reproducible-release-process Easy:
Type of work:Contributors documentation Affected tool:

Description

We need to update the release process documentation to take care of reproducible ISOs and IUKs.


Related issues

Related to Tails - Feature #12628: Draft a "user" (aka. RM) story for the reproducible release process Confirmed 06/02/2017

Associated revisions

Revision 2ca22f37
Added by intrigeri 12 days ago

Release process: fetch the ISO from Jenkins and ensure it matches the signature created by the release manager (refs: #12629).

History

#1 Updated by u 20 days ago

  • Related to Feature #12628: Draft a "user" (aka. RM) story for the reproducible release process added

#2 Updated by intrigeri 20 days ago

  • Status changed from New to Confirmed

#3 Updated by intrigeri 12 days ago

  • Target version set to Tails_3.2

I see two main aspects here, that I'll discuss first for ISOs and then for IUKs.

For the ISO image:

  • ensure at least N entities produced the same ISO: developers laptop? CI infra? where do we set the bar?
  • avoid having to upload the ISO at release time, and while we're at it, fix the "Upload images" section of the release process doc )AFAIK no RM has actually followed it as-is since years); so, instead of pretending we seed the ISO and then copy it from bittorrent.lizard to rsync.lizard, we should probably instead:
    • scp the detached signature to rsync.lizard
    • ssh rsync.lizard and wget the ISO built by Jenkins
    • verify the detached signature
    • scp the Torrent to bittorrent.lizard
    • ssh bittorrent.lizard, wget the ISO built by Jenkins, add to Transmission

For IUKs:

  • "ensure at least N entities produced the same" still applies, modulo we don't build them on our CI so only developers can reproduce them;
  • regarding publication, it's a bit more subtle since we don't build them on our CI so one needs to upload them (which apparently is not documented yet BTW).

Out of personal interest I might give "avoid having to upload the ISO" a try during the 3.0 release process, in which case I'll probably draft the needed changes in a branch; then anonym can test & polish them.

#4 Updated by intrigeri 12 days ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to doc/12629-reproducible-release-process

Draft written and tested for the ISO publication. I'll push once I've tested the bits about the IUKs and Torrent.

#5 Updated by intrigeri 12 days ago

Pushed! My branch addresses the "ensure at least N entities produced the same" part, but the other part is left as an exercise to the reader^W^Wanonym :)

Also available in: Atom PDF